Rekall info
2018. 3. 22. 01:58ㆍ보안 & 해킹/정보 보안
Command Provider Class Docs
-------------------- -------------------- --------------------------------------------------
ELFPlugins Baseclass for all ELF plugins.
BaseSessionCommand Base class for all session management plugins.
address_resolver DarwinAddressResolve A Darwin specific address resolver plugin.
r
address_resolver WindowsAddressResolv A windows specific address resolver plugin.
er
address_resolver LinuxAddressResolver A Linux specific address resolver plugin.
address_resolver LinuxAPIAddressResol A Linux specific address resolver plugin.
ver
address_resolver PEAddressResolver A simple address resolver for PE files.
aff4acquire AFF4Acquire Copy the physical address space to an AFF4 file.
aff4dump AFF4Dump Dump the entire resolver contents for an AFF4
volume.
aff4export AFF4Export Exports all the streams in an AFF4 Volume.
aff4ls AFF4Ls List the content of an AFF4 file.
agent RekallAgent The Rekall DFIR Agent.
allproc DarwinAllProcCollect
or
analyze_struct AnalyzeStruct A plugin to analyze a memory location.
api APIGenerator Generate the plugin API document.
arp Arp print the ARP table.
arp DarwinArp Show information about arp tables.
artifact_collector ArtifactsCollector Collects artifacts.
artifact_list ArtifactsList List details about all known artifacts.
artifact_view ArtifactsView
atoms Atoms Print session and window station atom tables.
atomscan AtomScan Pool scanner for _RTL_ATOM_TABLE
banner Banner Prints the Linux banner information.
bash BashHistory Scan the bash process for history.
boot_cmdline DarwinBootParameters Prints the kernel command line.
build_index BuildIndex Generate a profile index file based on an index
specification.
build_local_profile BuildProfileLocally Download and builds a profile locally in one step.
callback_scan CallbackScan Print system-wide notification routines by
scanning for them.
callbacks Callbacks Enumerate callback routines.
cc WindowsSetProcessCon A cc plugin for windows.
text
cc LinuxSetProcessConte A cc plugin for windows.
xt
cc DarwinSetProcessCont A cc plugin for windows.
ext
cc APISetProcessContext A cc plugin for setting process context to live
mode.
cc SetPartitionContext
certscan CertYaraScan Scan certificates in windows memory regions.
check_afinfo CheckAFInfo Verifies the operation function pointers of
network protocols.
check_creds CheckCreds Checks if any processes are sharing credential
structures
check_idt CheckIdt Checks if the IDT has been altered
check_modules CheckModules Compares module list to sysfs info, if available.
check_pehooks CheckPEHooks Checks a pe file mapped into memory for hooks.
check_proc_fops CheckProcFops Checks the proc filesystem for hooked f_ops.
check_syscall CheckSyscall Checks if the system call table has been altered.
check_syscalls DarwinCheckSysCalls Checks the syscall table.
check_task_fops CheckTaskFops Check open files in tasks for f_ops modifications.
check_trap_table CheckTrapTable Checks the traps table for hooks.
check_ttys CheckTTY Checks tty devices for hooks.
clipboard Clipboard Extract the contents of the windows clipboard
cmdscan CmdScan Extract command history by scanning for
_COMMAND_HISTORY
collect Collect Collect instances of struct of type 'type_name'.
connections Connections
connscan ConnScan Scan Physical memory for _TCPT_OBJECT objects
(tcp connections)
consoles Consoles Enumerate command consoles.
consolescan ConsoleScan Extract command history by scanning for
_CONSOLE_INFORMATION
convert_profile ConvertProfile Convert a profile from another program to the
Rekall format.
cpuinfo CpuInfo Prints information about each active processor.
dead_fileprocs DarwinDeadFileprocCo
llector
dead_procs DarwinDeadProcessCol Lists dead processes using the proc allocation
lector zone.
dead_sessions DarwinSessionZoneCol
lector
dead_sockets DarwinSocketZoneColl
ector
dead_ttys DarwinTTYZoneCollect
or
dead_vnodes DarwinZoneVnodeColle
ctor
describe Describe Describe the output of a plugin.
desktops WinDesktops Print information on each desktop.
devicetree DeviceTree Show device tree.
dis Disassemble Disassemble the given offset.
dlldump DLLDump Dump DLLs from a process address space
dlllist WinDllList Prints a list of dll modules mapped into each
process.
dmesg DarwinDMSG Print the kernel debug messages.
dmesg LinuxDmesg Gathers dmesg buffer.
dns_cache WinDNSCache Dump the windows DNS resolver cache.
driverirp DriverIrp Driver IRP hook detection
driverscan DriverScan Scan for driver objects _DRIVER_OBJECT
dt DT Print a struct or other symbol.
dtbscan DTBScan Scans the physical memory for DTB values.
dump Dump Hexdump an object or memory location.
dump_zone DarwinDumpZone Dumps an allocation zone's contents.
dumpcompressedmemory DarwinDumpCompressed Dumps all compressed pages.
Pages
dumpfiles DumpFiles Dump files from memory.
dwarfparser DwarfParser Parse the dwarf file and dump a vtype structure
from it.
elf_sections ELFSections
elf_versions_needed ELFVerNeeded
elf_versions_symbols ELFVerSymbols
eventhooks WinEventHooks Print details on windows event hooks
evtlogs EvtLogs Extract Windows Event Logs (XP/2003 only)
ewfacquire EWFAcquire Copy the physical address space to an EWF file.
fetch_pdb FetchPDB Fetch the PDB file for an executable from the
Microsoft PDB server.
file_yara FileYaraScanner Yara scanner which operates on files.
filescan FileScan Scan Physical memory for _FILE_OBJECT pool
allocations
find IRFind List files recursively from a root path.
find_dtb DarwinFindDTB Tries to find the DTB address for the Darwin/XNU
kernel.
find_dtb LinuxFindDTB A scanner for DTB values. Handles both 32 and 64
bits.
find_dtb WinFindDTB A plugin to search for the Directory Table Base
for windows systems.
find_kaslr DarwinFindKASLR A scanner for KASLR slide values in the Darwin
kernel.
fls FLS
fls TSKFls
fstat FStat Print information by filename.
gahti Gahti Dump the USER handle type information.
getservicesids GetServiceSids Get the names of services in the Registry and
return Calculated SID
glob IRGlob Search for files by filename glob.
grep Grep Search an address space for keywords.
guess_guid GuessGUID Try to guess the exact version of a kernel module
by using an index.
handles Handles Print list of open handles for each process
handles DarwinHandles Walks open files of each proc and collects the
fileproc.
hash IRHash
heapdump HeapChunkDumper Dumps allocated/freed chunks from selected
processes
heapinfo HeapOverview Tries to gather a list of all arenas/heaps and all
allocated chunks.
heapobjects HeapObjects Prints the structs of heap objects (such as
allocated chunks, arenas,
heaprefs HeapReferenceSearch Examines the data part of the given chunk for
references to other
heapsearch HeapPointerSearch Searches all chunks for the given string, regex or
pointer(s).
hexdump_file IRDump Hexdump files from disk.
hivedump HiveDump Prints out a hive
hives Hives List all the registry hives on the system.
hooks_eat EATHooks Detect EAT hooks in process and kernel memory
hooks_iat IATHooks Detect IAT/EAT hooks in process and kernel memory
hooks_inline InlineHooks Detect API hooks in process and kernel memory
hostname Hostname
idump IDump Dump a part of an MFT file.
iexport IExport Extracts files from NTFS.
ifconfig DarwinIfnetCollector
ifconfig Ifconfig Gathers active interfaces.
ils ILS List files in an NTFS image.
imagecopy ImageCopy Copies a physical address space out as a raw DD
image
imageinfo ImageInfo List overview information about this image.
impscan ImpScan Scan for calls to imported functions.
info Info Print information about various subsystems.
inspect_heap InspectHeap Inspect the process heap.
inspect_vaddr MemoryTranslation Inspect the mapping of a virtual address.
iomem IOmem mimics /proc/iomem.
ip_filters DarwinIPFilters Check IP Filters for hooks.
istat IStat Print information related to an MFT entry.
json_render JSONParser Renders a json rendering file, as produced by the
JsonRenderer.
kdbgscan KDBGScan Scan for possible _KDDEBUGGER_DATA64 structures.
keepassx Keepassx Gathers password entries for keepassx.
kpcr KPCR A plugin to print all KPCR blocks.
l Lister A plugin to list objects.
ldrmodules LdrModules Detect unlinked DLLs
live Live Launch a Rekall shell for live analysis on the
current system.
load_as LoadAddressSpace Load address spaces into the session if its not
already loaded.
load_plugin LoadPlugins Load user provided plugins.
load_profile LoadWindowsProfile Loads the profile into the session.
lookup Lookup Lookup a global in the profile.
lsmod Lsmod Gathers loaded kernel modules.
lsmod DarwinLsmod Lists all kernel modules.
lsmod_parameters Lsmod_parameters Display parameters for all kernel modules.
lsmod_sections LsmodSections Display all the ELF sections of kernel modules.
lsof DarwinLsof Walks open files of each proc in order and prints
PID, FD and the handle.
lsof Lsof Lists open files.
lsof APILsof A plugin which lists all open files.
machine_info DarwinMachineInfo Show information about this machine.
malfind Malfind Find hidden and injected code
manage_repo ManageRepository Manages the profile repository.
maps IRMaps Examine the process memory maps.
maps DarwinMaps Display the process maps.
maps ProcMaps Gathers process maps for linux.
mcat Mcat Returns the contents available in memory for a
given file.
memdump WinMemDump Dump windows processes.
memdump DarwinMemDump Dumps the memory map for darwin tasks.
memdump LinMemDump Dump the addressable memory for a process.
memmap LinMemMap Dumps the memory map for linux tasks.
memmap DarwinMemMap Prints the memory map for darwin tasks.
memmap WinMemMap Calculates the memory regions mapped by a process.
messagehooks WinMessageHooks List desktop and thread window message hooks.
mfind Mfind Finds a file by name in memory.
mftdump MftDump Enumerate MFT entries from the cache manager.
mimikatz Mimikatz Extract and decrypt passwords from the LSA
Security Service.
miranda Miranda
mls Mls Lists the files in a mounted filesystem.
mmls TskMmls
moddump ModDump Dump kernel drivers from kernel space.
moddump Moddump Dumps loaded kernel modules.
modscan ModScan Scan Physical memory for _LDR_DATA_TABLE_ENTRY
objects.
modules Modules Print list of loaded kernel modules.
moo RekallBovineExperien Renders Bessy the cow and some beer.
ce3000
mount Mount Lists the mount points.
mount DarwinMount Show mount points.
mutantscan MutantScan Scan for mutant objects _KMUTANT
netscan WinNetscan Scan a Vista, 2008 or Windows 7 image for
connections and sockets
netstat DarwinNetstat Prints all open sockets we know about, from any
source.
netstat WinNetstat Enumerate image for connections and sockets
netstat Netstat Print the active network connections.
notifier_chains NotifierChainPlugin Outputs and verifies kernel notifier chains.
notifiers DarwinNotifiers Detects hooks in I/O Kit IONotify objects.
null Null This plugin does absolutely nothing.
object_tree ObjectTree Visualize the kernel object tree.
object_types Objects Displays all object Types on the system.
open_sockets DarwinSocketsFromHan Looks up handles that point to a socket and
dles collects the socket.
osquery OSQuery Runs the OSQuery query and emit the results.
p Printer A plugin to print an object.
pagefiles Pagefiles Report all the active pagefiles.
parse_pdb ParsePDB Parse the PDB streams.
pas2vas WinPas2Vas Resolves a physical address to a virtual addrress
in a process.
pas2vas LinPas2Vas Resolves a physical address to a virtual addrress
in a process.
pas2vas DarwinPas2Vas Resolves a physical address to a virtual addrress
in a process.
pedump PEDump Dump a PE binary from memory.
peinfo PEInfo Print information about a PE binary.
pfn PFNInfo Prints information about an address from the PFN
database.
pgrphash DarwinPgrpHashCollec
tor
phys_map WinPhysicalMap Prints the boot physical memory map.
phys_map DarwinPhysicalMap Prints the EFI boot physical memory map.
pidhash DarwinPidHashProcess
Collector
pidhashtable PidHashTable List processes by enumerating the pid hash tables.
pkt_queues PacketQueues Dumps the current packet queues for all known open
sockets.
pool_tracker PoolTracker Enumerate pool tag usage statistics.
pools Pools Prints information about system pools.
printkey PrintKey Print a registry key, and its subkeys and values
privileges Privileges Prints process privileges.
procdump ProcExeDump Dump a process to an executable file sample
procinfo ProcInfo Dump detailed information about a running process.
psaux DarwinPSAUX List processes with their commandline.
psaux PSAux Gathers processes along with full command line and
start time.
pslist DarwinPslist
pslist WinPsList List processes for windows.
pslist APIPslist A live pslist plugin using the APIs.
pslist LinuxPsList Gathers active tasks by walking the
task_struct->task list.
psscan PSScan Scan Physical memory for _EPROCESS pool
allocations.
pstree LinPSTree Shows the parent/child relationship between
processes.
pstree DarwinPsTree
pstree PSTree Print process list as a tree
psxview DarwinPsxView
psxview LinuxPsxView Find hidden processes comparing various process
listings.
psxview WindowsPsxView Find hidden processes with various process
listings
ptov PtoV Converts a physical address to a virtual address.
raise_the_roof RaisingTheRoof A plugin that exists to break your tests and make
you cry.
rammap WinRammap Scan all physical memory and report page owners.
raw2dmp Raw2Dump Convert the physical address space to a crash
dump.
regdump RegDump Dump all registry hives from memory into a dump
directory.
route DarwinRoute Show routing table.
run Run A plugin which runs its argument (using eval).
run_flow RunFlow Run the flows specified.
sdel SessionDelete Delete a session.
search Search
services Services Enumerate all services.
session_api APISessionGenerator
sessions DarwinSessions Finds sessions by walking their global hashtable.
sessions Sessions List details on _MM_SESSION_SPACE (user logon
sessions).
shell InteractiveShell An interactive shell for Rekall.
shimcachemem ShimCacheMem Extract the Application Compatibility Shim Cache
from kernel memory.
show_allocation ShowAllocation Show the allocation containing the address.
show_referrer_alloc FindReferenceAlloc Show allocations that refer to an address.
sigscan LinuxSigScan Runs a signature scans against physical, kernel or
process memory.
sigscan DarwinSigScan Runs a signature scans against physical, kernel or
process memory.
sigscan WinSigScan Runs a signature scans against physical, kernel or
process memory.
simple_certdump CertDump Dump certs found by cert scan.
simple_certscan CertScan Dump RSA private and public SSL keys from the
physical address space.
simple_yarascan SimpleYaraScan A Simple plugin which only yarascans the physical
Address Space.
slist SessionList List the sessions available.
smod SessionMod Modifies parameters of the current analysis
session.
snew SessionNew Creates a new session by cloning the current one.
sockets Sockets
ssdt WinSSDT Enumerate the SSDT.
sswitch SessionSwitch Changes the current session to the session with
session_id.
stat IRStat
svcscan SvcScan Scan for Windows services
symlinkscan SymLinkScan Scan for symbolic link objects
sysctl DarwinSysctl Dumps the sysctl database.
system_info SystemInfo Just emit information about the agent.
tasks DarwinTaskProcessCol
lector
terminals DarwinTerminals Lists open ttys.
thrdscan ThrdScan Scan physical memory for _ETHREAD objects
threads Threads Enumerate threads.
timers Timers Print kernel timers and associated module DPCs.
times WindowsTimes Return current time, as known to the kernel.
tokens GetSIDs Print the SIDs owning each process token.
unloaded_modules UnloadedModules Print a list of recently unloaded modules.
unp_sockets DarwinUnpListCollect Walks the global list of sockets in uipc_usrreq.
or
userassist UserAssist Print userassist registry keys and information
userhandles UserHandles Dump the USER handle tables
users Users Enumerate all users of this system.
vacbs EnumerateVacbs Enumerate all blocks cached in the cache manager.
vad VAD Concise dump of the VAD.
vaddump DarwinVadDump Dump the VMA memory for a process.
vaddump IRVadDump Dump the VMA memory for a process.
vaddump VADDump Dumps out the vad sections to a file
vaddump LinVadDump Dump the VMA memory for a process.
vadmap LinuxVADMap Inspect each page in the VAD and report its
status.
vadmap VADMap Inspect each page in the VAD and report its
status.
vadmap DarwinVADMap Inspect each page in the VAD and report its
status.
version_modules ModVersions Try to determine the versions for all kernel
drivers.
version_scan VersionScan Scan the physical address space for RSDS versions.
virt_map WinVirtualMap Prints the Windows Kernel Virtual Address Map.
vmscan VmScan Scan the physical memory attempting to find
hypervisors.
vtop VtoP Prints information about the virtual to physical
translation.
vtop DarwinVtoP Describe virtual to physical translation on darwin
platforms.
vtop LinVtoP Describe virtual to physical translation on Linux
platforms.
which_plugin FindPlugins Find which plugin(s) are available to produce the
desired output.
win32k_autodetect Win32kAutodetect Automatically detect win32k struct layout.
windows_stations WindowsStations Displays all the windows stations by following
lists.
yarascan WinYaraScan Scan using yara signatures.
yarascan ProcessYaraScanner Yara scan process memory using the
ReadProcessMemory() API.
yarascan LinYaraScan Scan using yara signatures.
yarascan DarwinYaraScan Scan using yara signatures.
yarascan_physical WinPhysicalYaraScann An experimental yara scanner over the physical
er address space.
zones DarwinZoneCollector
zsh Zsh Extracts the zsh command history, similar to the
existing bash plugin. '보안 & 해킹 > 정보 보안' 카테고리의 다른 글
| MongoDB 해킹, 허니팟 구축, 침해사고 분석 (0) | 2020.06.25 |
|---|---|
| 가짜 2TB USB 만들기 (0) | 2020.01.12 |
| OWASP Top 10 2017년 영문, 한국어 버전, 주요정보통신기반시설 기술적 취약점 분석평가 가이드 (0) | 2017.12.16 |
| 포렌식 공부를 위한 자료 (0) | 2017.11.12 |
| 정보보안기사 실기 10회 기출 복원 (22) | 2017.11.11 |